[wp-trac] [WordPress Trac] #43175: Discussion - Pseudonymisation
WordPress Trac
noreply at wordpress.org
Tue Apr 24 16:42:31 UTC 2018
#43175: Discussion - Pseudonymisation
-------------------------+------------------------------
Reporter: xkon | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: gdpr | Focuses:
-------------------------+------------------------------
Comment (by iandunn):
Replying to [comment:5 David 279]:
> The biggest issue I see at the moment with Encryption of user Data is
that the key needs to be on a different server
Can you cite the section of GDPR that says it needs to be on a separate
server? I couldn't find it, and am curious to read the details.
In addition to separate servers not being practical from Core's
perspective (comment:7), I'm also skeptical of how much security would be
gained added. If an attacker finds a vulnerability that allows them to
modify the database, but not the filesystem, then in most cases they can
just change the password of an existing admin, log in, and upload a
malicious plugin.
If they find a vulnerability where they gain access to the file system but
not the database, then they can easily grab the database credentials from
`wp-config.php` and make queries through PHP.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43175#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list